A company’s most important security perimeter is no longer machines, but rather the people who use them. Sensitive business data and communications have been brought into homes, which are often less secure than a corporate office.
Meanwhile, the stress and distraction brought on by this global health crisis make humans more vulnerable than ever to phishing and social engineering schemes. Organizations, therefore, need to address the human layer in security so that employees are protected just as well as the technology they’re using.
Why Current Solutions are Falling Short
It has historically been very difficult to protect human-machine interactions from these kinds of errors, malicious behavior and manipulation. Existing solutions are falling short due to two main hurdles: they’re either not very effective or they disrupt employee productivity.
The first solution involves restricting employees’ access to certain systems and sensitive data so that a breach is not possible. This could ensure that the loss of that data is prevented, but it can also add friction to an employee’s day-to-day experience and stop them from doing their job effectively.
The second solution is rule-based technology. Some rules are in place to stop phishing emails landing in inboxes; for example, blocking emails when the sender's name is different from the sender's email address, as is common in phishing scams. The problem here is that hackers are constantly finding ways around them and coming up with new tactics to manipulate humans or systems. Companies find themselves constantly updating their rules whenever they learn of a new threat, which is not only time-consuming but can only work against known threats. Other rules place limits around employees’ activity; for example, a rule that blocks staff from sending emails to certain “freemail” domains. But these rules can impede employee productivity if they’re too restrictive; for example, freelance employees in particular often rely on freemail accounts.
The third solution is to put policies in place to restrict certain human behaviors and offer training to reinforce security best practices and bring awareness to the latest threats. But it’s not enough to stop data breaches caused by human error. There is no guarantee that employees will remember the policy or the training at the moment of potential error, which often happens during times of stress when employees are faced with overwhelming to-do lists.
Companies Must Prioritize Protecting Humans Alongside Machines
Employees are in control of more business-critical data than ever before and their actions could be putting it in danger. Businesses must prioritize the human element in the larger security challenge.
Cracking this missing element will require understanding the patterns in human behavior that lead to breaches, identifying the ways in which hackers manipulate human psychology, and putting solutions in place that catch incidents of human error as they happen, without impeding productivity. New tools can be used to detect incidents of human error and block them in real time without disrupting workflows. Many security leaders are already using machine learning and artificial intelligence to protect the networks, devices and databases in the enterprise. The same level of attention must be placed on protecting the people who use them.